vSphere 6.0 Lockdown Modes

Lockdown mode has been around in various forms for many releases. The behaviors have changed a few times since 5.1 with varying levels of usability success. For vSphere 6.0 we are trying to address some of these issues. Personally, what I’d love to see happen with all customers running V6.0 is that you run at a minimum the “Normal” Lockdown Mode.

With vSphere 6 we are introducing a couple of new concepts

Normal Lockdown Mode

Strict Lockdown Mode

Exception Users

For this blog article we’ll focus on the two Lockdown Modes. Exception users will be covered in the next blog article.

Lockdown Modes

One of the stumbling blocks for customers implementing Lockdown Mode was that it was either on or off. In 5.1 only the “root” user could log into the DCUI. In 5.5 you could add users to the “DCUI.Access” list in the Host Advanced Settings. They did not need full administrative privileges. But they could bypass lockdown mode and access the DCUI.

Normal Lockdown Mode

In normal lockdown mode the DCUI service is not stopped. If the connection to the vCenter Server system is lost and access through the vSphere Web Client is no longer available, privileged accounts can log in to the ESXi host’s Direct Console Interface and exit lockdown mode. Only the following accounts can access the Direct Console User Interface:

Accounts in the Exception User list for lockdown mode who have administrative privileges on the host. The Exception Users list is meant for service accounts that perform very specific tasks. Adding ESXi administrators to this list defeats the purpose of lockdown mode.

Users defined in the DCUI.Access advanced option for the host. This option is for emergency access to the Direct Console Interface in case the connection to vCenter Server is lost. These users do not require administrative privileges on the host.

Strict Lockdown Mode

In strict lockdown mode, which is new in vSphere 6.0, the DCUI service is stopped. If the connection to vCenter Server is lost and the vSphere Web Client is no longer available, the ESXi host becomes unavailable unless the ESXi Shell and SSH services are enabled and Exception Users are defined. If you cannot restore the connection to the vCenter Server system, you have to reinstall the host.

Lockdown Mode and the ESXi Shell and SSH Services

Strict lockdown mode stops the DCUI service. However, the ESXi Shell and SSH services are independent of lockdown mode. For lockdown mode to be an effective security measure, ensure that the ESXi Shell and SSH services are also disabled. Those services are disabled by default.

When a host is in lockdown mode, users on the Exception Users list can access the host from the ESXi Shell and through SSH if they have the Administrator role on the host and if these services are enabled. This access is possible even in strict lockdown mode. Leaving the ESXi Shell service and the SSH service disabled is the most secure option.

How to enable Lockdown Modes

You need to be a privileged user to enable either Lockdown Mode. You can enable Lockdown Mode as follows:

When using the Add Host wizard to add a host to a vCenter Server system.

Via the vSphere Web Client. You can enable both Normal and Strict Lockdown Mode from here

Via the DCUI.

Note that the DCUI doesn’t offer the option of Normal or Strict. When you enable via the DCUI you will get Normal mode.

Can I do this via API’s? Specifically PowerCLI?

I’m glad you asked! With the awesome assistance of Brian Graf I can now share some code with you for managing Lockdown Mode and getting its values. This code is going in the vSphere Hardening Guide for 6.0! This code supersedes KB1008077 which addresses versions 4.x and 5.x

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

#Run this at the vCenter level or against an individual host

#Create HostLockdownMode object

$level=New-ObjectVMware.Vim.HostLockdownMode

#Populate with level of lockdown:(lockdownDisabled,lockdownNormal,lockdownStrict)

$level="lockdownStrict"

$esxihosts=get-vmhost

foreach($esxihost in$esxihosts)

{

$myhost=Get-VMHost$esxihost|Get-View

$lockdown=Get-View$myhost.ConfigManager.HostAccessManager

Write-Host"——————————–"

Write-Host"Setting Lockdown mode to "$level

$lockdown.ChangeLockdownMode($level)

$lockdown.UpdateViewData()

$lockdownstatus=$lockdown.LockdownMode

Write-Host"Lockdown mode on $esxihost is set to $lockdownstatus"

Write-Host"——————————–"

}

Note that while this code is perfect functional, it’s not elegant nor when you are running it against a LOT of hosts in a vCenter is it efficient. To make this whole process even easier I encourage you to go read Brian’s new blog article where he’s taken this code block and created an awesome function out of it! It’s some serious awesomesauce! Using this function (via vCenter only) makes setting Lockdown Mode incredibly simple. How about Set-LockdownMode –vmhost –Normal ? Yea, very cool! Go check it out!

Lockdown Mode and vSphere Hardening Guide

You’ll find in the vSphere 6.0 Hardening guide a number of guidelines that are going to be removed or reclassified as “audit” values because the push will be for folks to use Lockdown Mode (at least Normal but for some the use of Strict may be appropriate) to manage access.

The setting being removed or reclassified are:

disable-dcui – Use Strict Lockdown Mode or don’t put the user on the DCUI.Access list

disable-esxi-shell – Disabled by default, may stay purely as an auditable setting

disable-ssh – Disabled by Default, may stay purely as an auditable setting

Also, instead of “enable-lockdown-mode” you’ll have “enable-strict-lockdown-mode” and “enable-normal-lockdown-mode”. As always, the guide is a set of guidelines and not mandates. It’s up to you and your security folks to decide which mode is appropriate for your environment.

I’d be really interested in hearing your opinion on whether to remove or reclassify these to just audit values for these guidelines

Recap

Went over the two types of Lockdown Mode, Normal and Strict

Showed how to enable Lockdown Mode via the published interfaces

Provided a code snippet to on how to manage Lockdown Mode via PowerCLI

Discussed the changes that Lockdown Mode bring to the vSphere Hardening Guide for 6.0

In the next Lockdown Mode blog article we’ll dive into Exception Users!

We hope that the new capabilities of Lockdown Mode in vSphere 6.0 are helpful.

Acknowledgements: Big shout-outs to Brian Graf for the PowerCLI rockstar moves and this blog article and the next one could not have been done without a massive amount of help from one of our incredible engineers, Velyo. Thank you both!

If you have questions, leave a comment or send them in. mfoley at vmware dot com. Thanks for reading!

mike

p.s. To those of you who don’t code in PowerShell, my apologies for not providing Perl or Python examples. Python is on my list of learning some day.

About the Author

Mike Foley is a Staff Technical Marketing Architect for vSphere Security at VMware.
His primary goal is to help IT Admins build more secure platforms that stand up to scrutiny from security teams with the least impact to IT Operations.
Mike is also the current author of the vSphere Security Configuration (formerly Hardening) Guide.
Previously, Mike was on the evangelist team at RSA where he concentrated on virtualization and cloud security. Mike was awarded a patent (8,601,544) in December 2013 for dual-band authentication using the virtual infrastructure
Mike has a personal blog at https://yelof.com and contributes to the VMware vSphere and Security blogs as well.
Follow him at @vSphereSecurity on Twitter

Comments

You need targeted visitors for your vSphere 6.0 Lockdown Modes | VMware vSphere Blog – VMware Blogs website so why not get some for free? There is a VERY POWERFUL and POPULAR company out there who now lets you try their traffic service for 7 days free of charge. I am so glad they opened their traffic system back up to the public! Sign up before it is too late: http://kout.eu/2y9i